Ars Techica reports that the show-and-tell took place on Wednesday at the Black Hat conference, where the three connected a non-jailbroken iPhone to the charger they dubbed Mactans (the Latin name for a black widow spider), which they designed in a week and on a small budget.
Chargers usually contain only transformers, but this one holds a small computer - a BeagleBoard - running Linux which can send USB commands to the connected iPhone, which will automatically trust the source and accept the commands.
The attack cannot be executed if the user does not unlock their device once it plugs it into the charger, but that is no great limitation as many users don't lock their iPhones, and those who do often automatically unlock it once they plug it into a charger in order to perform an action (see a message, make a phone call, etc.).
The researchers took advantage of a little-known feature that allows developers to deploy applications to their own devices for testing purposes. They can do so via a provisioning profile, that they can easily create by first querying the iPhone for its UDID, and then sending it to Apple's Web page. There, the developers choose which specific application they want to test, and the provisioning profile is created, and can be deployed on the iPhone over USB.
They also took advantage of another Apple security weakness, which allowed them to bypass Apple's app vetting process by making the Trojan-like app hide the malicious code it contains.
In their demonstration, they used a trojanized Facebook app that was installed instead of the legitimate one, and it allowed them to do things like post tweets, take screenshots when the user enters passwords, send SMS messages, make calls - all without the victim's permission and knowledge.
Apple has been notified of the team's discovery of these flaws, and has already reacted by implementing a new feature into the beta version of iOS 7 that asks users if they trust the currently connected computer every time they connect their device to one - and a Mactans charger would obviously qualify and be detected as such.
The issue will be patched in the final iOS 7 version that is scheduled to be released later this year, but unfortunately Apple hasn't said whether it will patch all the versions prior to that one.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.